Back to news

AST-2013-003: Username disclosure in SIP channel driver

#
Author: Matt Riddell
Daily Asterisk News
Ask Question

              Asterisk Project Security Advisory - AST-2013-003

         Product         Asterisk                                            
         Summary         Username disclosure in SIP
                         channel driver           
    Nature of Advisory   Unauthorized data disclosure                        
      Susceptibility     Remote Unauthenticated Sessions                     
         Severity        Moderate                                            
      Exploits Known     No                                                  
       Reported On       January 30, 2013                                    
       Reported By       Walter Doekes, OSSO B.V.                            
        Posted On        February 21, 2013                                   
     Last Updated On     March 27, 2013                                      
     Advisory Contact    Kinsey Moore                     
         CVE Name        CVE-2013-2264                                       

   Description  When authenticating via SIP with alwaysauthreject enabled,   
                allowguest disabled, and autocreatepeer disabled, Asterisk   
                discloses whether a user exists for INVITE, SUBSCRIBE, and   
                REGISTER transactions in multiple ways.                      

                This information was disclosed:                              

                * when a "407 Proxy Authentication Required" response was    
                sent instead of "401 Unauthorized" response.                 

                * due to the presence or absence of additional tags at the   
                end of "403 Forbidden" such as "(Bad auth)".                 

                * when a "401 Unauthorized" response was sent instead of     
                "403 Forbidden" response after a retransmission.             

                * when retransmissions were sent when a matching peer did    
                not exist, but were not when a matching peer did exist.      

   Resolution  This issue can only be mitigated by upgrading to versions of  
               Asterisk that contain the patch or applying the patch.        

                              Affected Versions
               Product                Release Series    
         Asterisk Open Source              1.8.x        All Versions         
         Asterisk Open Source              10.x         All Versions         
         Asterisk Open Source              11.x         All Versions         
          Certified Asterisk              1.8.15        All Versions         
      Asterisk Business Edition            C.3.x        All Versions         
        Asterisk Digiumphones        10.x-digiumphones  All Versions         

                                 Corrected In
                 Product                              Release                
          Asterisk Open Source               1.8.20.2, 10.12.2, 11.2.2       
          Asterisk Digiumphones                10.12.2-digiumphones          
           Certified Asterisk                      1.8.15-cert2              
        Asterisk Business Edition                     C.3.8.1                

                                    Patches                             
                               SVN URL                                  Revision  
http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.diff         Asterisk  
                                                                        1.8       
http://downloads.asterisk.org/pub/security/AST-2013-003-10.diff          Asterisk  
                                                                        10        
http://downloads.asterisk.org/pub/security/AST-2013-003-11.diff          Asterisk  
                                                                        11        
http://downloads.asterisk.org/pub/security/AST-2013-003-1.8.15-cert.diff Certified 
                                                                        Asterisk  
                                                                        1.8.15    
http://downloads.asterisk.org/pub/security/AST-2013-003-C.3.diff         Asterisk  
                                                                        BE C.3    

      Links    ASTERISK-21013       

   Asterisk Project Security Advisories are posted at                        
   http://www.asterisk.org/security                                          

   This document may be superseded by later versions; if so, the latest      
   version will be posted at                                                 
   http://downloads.digium.com/pub/security/AST-2013-003.pdf and             
   http://downloads.digium.com/pub/security/AST-2013-003.html                

                               Revision History
       Date          Editor                    Revisions Made                
   2013-02-20    Kinsey Moore    Initial revision.                           
   2013-02-27    Kinsey Moore    Added Asterisk BE patch information.        
   2013-02-27    Kinsey Moore    Corrected open source Asterisk versions.    

              Asterisk Project Security Advisory - AST-2013-003
             Copyright (c) 2013 Digium, Inc. All Rights Reserved.
 Permission is hereby granted to distribute and publish this advisory in its
                          original, unaltered form.


Comments


Related posts

Back to top

Ready to supercharge your business?

Dialer pricing from only $300 per month!